CVE-2026-2792

Critical

Published: 24 February 2026

Published

24 February 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0007 21.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Memory safety bugs present in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to…

run arbitrary code. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely remediation of flaws like the memory safety bugs in CVE-2026-2792 by applying patches released in updated Firefox and Thunderbird versions.

SI-16 Memory Protection good match

prevent

Provides memory protections such as address space layout randomization and data execution prevention to block exploitation of memory corruption from out-of-bounds writes in affected browsers.

SC-39 Process Isolation partial match

prevent

Enforces process isolation and sandboxing in browsers to limit the impact of arbitrary code execution resulting from memory safety vulnerabilities like CVE-2026-2792.

Security SummaryAI

CVE-2026-2792 involves multiple memory safety bugs, classified under CWE-787 (Out-of-bounds Write), present in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147, and Thunderbird 147. These bugs exhibited evidence of memory corruption, which Mozilla presumes could be exploited with sufficient effort to achieve arbitrary code execution. The vulnerability carries a CVSS v3.1 base score of 9.8, reflecting its critical severity.

Attackers can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), potentially leading to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). Any unauthenticated remote attacker could target affected browsers or email clients to corrupt memory and, with advanced techniques, execute arbitrary code within the victim's context.

Mozilla's security advisories (MFSA 2026-13, 15, 16, and 17) detail the fixes applied in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird ESR 140.8. Users should update to these patched versions to mitigate the risks, as referenced in the associated Bugzilla entries.

Details

CWE(s): CWE-787

Affected Products

mozilla

firefox

≤ 140.8.0 · ≤ 148.0

mozilla

thunderbird

≤ 140.8.0 · ≤ 148.0

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Memory corruption RCE in client apps (Firefox/Thunderbird) with no user interaction directly enables T1203 Exploitation for Client Execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/buglist.cgi?bug_id=2008912%2C2010050%2C2010275%2C2012331
Broken Link · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-13/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-15/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-16/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-17/
Vendor Advisory · security@mozilla.org